elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-08-04 14:21:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
532c40d311fcf8160630b2dec7f7d9b877586cec
debian-cis/bin/hardening/at_is_restricted.sh
damien cavagnini 532c40d311 feat: add debian12 scripts 
- at_is_restricted.sh			-> 2.4.2.1
- wireless_interfaces_disabled.sh	-> 3.1.2
- bluetooth_is_disabled.sh 		-> 3.1.3
- sudo_no_nopasswd.sh 			-> 5.2.4
- aide_is_installed.sh 			-> 6.1.1
2025-07-31 12:03:36 +02:00

156 lines
4.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure at is restricted to authorized users (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure at is restricted to authorized users"
PACKAGE="at"
# This function will be called if the script status is on enabled / audit mode
audit() {
ALLOW_EXISTS=1
ALLOW_VALID=0
DENY_EXISTS=1
DENY_EMPTY=1
DENY_VALID=0
is_pkg_installed "$PACKAGE"
if [ "$FNRET" -eq 1 ]; then
ok "$PACKAGE is not installed"
else
does_file_exist "/etc/at.allow"
if [ "$FNRET" -eq 0 ]; then
ALLOW_EXISTS=0
if [ "$(stat -Lc '%U' /etc/at.allow)" != 'root' ]; then
ALLOW_VALID=1
crit "'/etc/at.allow' is not owned by root"
fi
group="$(stat -Lc '%G' /etc/at.allow)"
if [ "$group" != 'root' ] && [ "$group" != 'daemon' ]; then
ALLOW_VALID=1
crit "'/etc/at.allow' is not owned by group root or group 'daemon'"
fi
if [ "$(stat -Lc '%a' /etc/at.allow)" != '640' ]; then
ALLOW_VALID=1
crit "'/etc/at.allow' perms is not '640'"
fi
fi
does_file_exist "/etc/at.deny"
if [ "$FNRET" -eq 0 ]; then
DENY_EXISTS=0
is_file_empty "/etc/at.deny"
if [ "$FNRET" -eq 0 ]; then
DENY_EMPTY=0
fi
if [ "$(stat -Lc '%U' /etc/at.deny)" != 'root' ]; then
DENY_VALID=1
crit "'/etc/at.deny' is not owned by root"
fi
group="$(stat -Lc '%G' /etc/at.deny)"
if [ "$group" != 'root' ] && [ "$group" != 'daemon' ]; then
DENY_VALID=1
crit "'/etc/at.deny' is not owned by group 'root' or group 'daemon'"
fi
if [ "$(stat -Lc '%a' /etc/at.deny)" != '640' ]; then
DENY_VALID=1
crit "'/etc/at.deny' perms is not '640'"
fi
fi
if [ "$ALLOW_EXISTS" -eq 1 ] && [ "$DENY_EXISTS" -eq 1 ]; then
ok "only superuser is allowed to run 'at' commands"
elif [ "$ALLOW_EXISTS" -eq 1 ] && [ "$DENY_EXISTS" -eq 0 ]; then
if [ "$DENY_EMPTY" -eq 0 ]; then
crit "all users are allowed to execute 'at' commands"
elif [ "$DENY_VALID" -eq 1 ]; then
crit "'/etc/at.deny' exists but is misconfigured"
else
ok "'/etc/at.deny' exists and is well configured"
fi
fi
if [ "$ALLOW_EXISTS" -eq 0 ] && [ "$ALLOW_VALID" -eq 1 ]; then
crit "'/etc/at.allow' exists but is misconfigured"
elif [ "$ALLOW_EXISTS" -eq 0 ] && [ "$ALLOW_VALID" -eq 0 ]; then
ok "'/etc/at.allow' exists and is well configured"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
audit
if [ "$ALLOW_EXISTS" -eq 1 ] && [ "$DENY_EXISTS" -eq 0 ]; then
if [ "$DENY_EMPTY" -eq 0 ]; then
info "Removing '/etc/at.deny'"
rm -f /etc/at.deny
elif [ "$DENY_VALID" -eq 1 ]; then
info "set perms and owner on '/etc/at.deny'"
chmod 0640 /etc/at.deny
chown root /etc/at.deny
if [ "$(stat -Lc '%G' /etc/at.deny)" != "daemon" ]; then
chgrp root /etc/at.deny
fi
fi
fi
if [ "$ALLOW_EXISTS" -eq 0 ] && [ "$ALLOW_VALID" -eq 1 ]; then
info "set perms and owner on '/etc/at.allow'"
chmod 0640 /etc/at.allow
chown root /etc/at.allow
if [ "$(stat -Lc '%G' /etc/at.allow)" != "daemon" ]; then
chgrp root /etc/at.allow
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi
Reference in New Issue View Git Blame Copy Permalink